Vinodkumar Vanga Microland Ltd

Microsoft System Center Configuration Manager 2007

(ConfigMgr) provides a comprehensive solution for change and configuration management for the Microsoft platform, enabling organizations to provide relevant software and updates to users quickly and cost-effectively.

Configuration Manager 2007 provides the following features:

Collecting hardware and software inventory.
Distributing and installing software applications. Distributing and installing updates to software, for example security fixes. Works with Windows Server 2008 operating system Network Policy Server to restrict computers from accessing the network if they do not meet specified requirements, for example having certain security updates installed. Deploying operating systems. Specifying what a desired configuration would be for one or more computers and then monitoring adherence to that configuration. Metering software usage. Remotely controlling computers to provide troubleshooting support.

Other Information
MS SCCM 2007 Certification paper 70-401

SCCM Components
The SCCM Site Primary Site Secondary Site Parent Site Child Site Central Site
A site consists of

Site Server Site System roles Clients Resources

Site System
A site system is any computer running a supported

version of Microsoft Windows or a shared folder that hosts one or more site system roles.

Site System Role

Description The role assigned to the server on which Configuration Manager 2007 Setup has been run successfully.

Required?

Site server

Yes. Every site must have exactly one site server role.

Site database server

The role assigned to the computer running Microsoft SQL Server and hosting the Configuration Manager 2007 site database. You can use only Microsoft SQL Server 2005, Standard or Enterprise Edition, to host the site database. SQL Server 2005 Express is not a supported SQL Server 2005 version for hosting the site database.

Every primary site requires a site database server role, but secondary sites do not require them.

Configuration Manager console Any computer running the Configuration Manager console.

No. The Configuration Manager console is automatically installed by default on primary site servers during Setup. You can install additional Configuration Manager consoles on remote computersfor example, the workstation of the Configuration Manager administrator. However, some organizations write their own user interface using the Configuration Manager software developer kit (SDK) and never use the Configuration Manager console.

SMS Provider computer

The Configuration Manager console does not access the database directly, but instead uses Windows Management Instrumentation (WMI) as an intermediary layer. The SMS Provider is the Yes, for primary sites. When you install a primary site, you select which computer will host the WMI Provider for Configuration Manager. SMS Providerusually, it's the site server or the site database server. Any computer hosting a Configuration Manager 2007 site role that requires installing special Configuration Manager 2007 services. The only site system role that does not require the installation of a special Configuration Manager 2007 service is the distribution point. Required for the following features: software distribution, software updates, and advertised task sequences used in operating system deployment.

Component server

Distribution point

A site system role that stores packages for clients to install.

Fallback status point

A site system role that gathers state messages from clients that cannot install properly, cannot assign to a Configuration Manager 2007 site, or cannot communicate securely with their assigned management point.

Not required, but very helpful to troubleshoot issues with clients.

Management point

The site system role that serves as the primary point of contact between Configuration Manager Every site with intranet clients must have one default management point, though the default 2007 clients and the Configuration Manager 2007 site server. management point might be a cluster of several site systems configured as management points.

PXE service point

A site system role that has been configured to respond to and initiate operating system deployments from computers whose network interface card is configured to allow PXE boot requests.

Required only for operating system deployment using PXE boot requests.

Site System Role

Description

Required? Required only to use the reporting feature. Reports are often helpful when diagnosing client issues.

Reporting point

A site system role hosts the Report Viewer component for Web-based reporting functionality.

Server locator point

A site system role that locates management points for Configuration Manager 2007 clients. A site system role assigned to a computer running Microsoft Windows Server Update Services (WSUS). A site system role that stores user state data while a computer is being migrated to a new operating system.

Required for some client deployment scenarios.

Software update point

Required only for the software update feature.

State migration point

Required for operating system deployment when migrating user state.

System Health Validator point Asset Intelligence synchronization point

The site system role assigned to a computer running Network Policy Service. A site role that is used to connect to System Center Online to manage Asset Intelligence catalog information updates. A site system role that discovers, provisions, and manages desktop computers that have management controllers (such as AMT-based computers).

Required only for the Configuration Manager 2007 Network Access Protection feature. Required only to synchronize the local Asset Intelligence catalog with System Center Online by Microsoft SA license customers.

Out of band service point

Required only for the out of band management feature.

Reporting Services point

A site system role assigned to a computer running SQL Reporting Services.

Required only if you want to use SQL Reporting Services to report Configuration Manager 2007 R2 data. Integrating Configuration Manager 2007 R2 reports with SQL Reporting Services provides a richer reporting experience. However, the reporting point still works and does not require SQL Reporting Services or a Reporting Services point.

Client status reporting host system

Although the client status reporting host system site system role is not actually a site system configured in the Configuration Manager console, it is a role that can be added to a client or server computer to report back to the site server about the client computers it monitors.

Required only if using the client status reporting feature.

Types of Sites
Primary Sites : The first Configuration Manager 2007 site you

install must be a primary site. A primary site stores Configuration Manager 2007 data for itself and all the sites beneath it in a SQL Server database.

Secondary Sites : A secondary site has no Configuration

Manager 2007 site database. The secondary site forwards the information it gathers from Configuration Manager 2007 clients, such as computer inventory data and Configuration Manager 2007 system status information, to its parent site. The advantages of using secondary sites are that they do not require any additional Configuration Manager 2007 server license and do not incur the overhead of maintaining an additional database.

Parent Sites
A parent site is a primary site that has one or more

sites attached to it in the hierarchy. Only a primary site can have child sites. A secondary site is always a child site. A parent site contains pertinent information about its lower level sites, such as computer inventory data and Configuration Manager 2007 system status information, and it can control many operations at the child sites.

Child Sites
A child site is a site that is attached to a site above it in

the hierarchy. The site it reports to is its parent site. A child site can have only one parent site. Configuration Manager 2007 copies all the data that is collected at a child site to its parent site. A child site is either a primary site or a secondary site.

Central Site
A central site has no parent site. Typically, a central site

has child and grandchild sites and aggregates all of their client information to provide centralized management and reporting. A site with no parent and no child site is still called a central site although it is also referred to as a stand-alone site.

Ports Used for SCCM 2007

 The following features are new to Configuration

Manager 2007: Desired configuration management

Network Access Protection for Configuration Manager Wake On LAN

 The following features were previously available only in

Feature Packs but are now incorporated into the core product: Mobile device management
Operating system deployment
Transfer site settings wizard

Manage site accounts tool (MSAC)

Asset Intelligence

 The following features have changed significantly from

SMS 2003: Backup and recovery

Software updates

 The following features have been improved but still

function very much as they did in SMS 2003: The administrator console
Collections Software distribution Software metering Remote tools

 The following features either have not changed or have

minor changes:
Discovery

Inventory
Queries Reporting

Configuration Manager 2007 R2

Application Virtualization. For more information, About Virtual Application PackagesAbout Virtual Application Packages. Forefront Client Security Integration. For more information, see About Forefront Client Security Integration with Configuration Manager 2007 R2. SQL Reporting Services Reporting. Allows you to report on Configuration Manager activity using SQL Reporting Services. Client Status Reporting. Provides a set of tools and Configuration Manager 2007 reports to assess the status of client computers, sometimes referred to as "client health." Clients that show a change in activity patterns might need administrative intervention. Operating System Deployment Enhancements. The following enhancements are included in Configuration Manager 2007 R2:

Unknown computer supportIn Configuration Manager 2007 R2, you can deploy operating systems to computers using a PXE service point without first adding the computer to the Configuration Manager database. For more information, see About Unknown Computer Support for Operating System Deployment.

Multicast deploymentPreviously, all operating system deployments used unicast. Multicast can make more efficient use of network bandwidth when deploying large images to several computers at the same time. For more information, see About Multicast for Operating System Deployment.
Running command lines in task sequences with credentials other than the local system account.

Knowing SCCM 2007

Some Concepts / Terms

The administrator console Collections Inventory Queries Reporting Software distribution Software updates Software metering Mobile Device management Operating system deployment Desired configuration management Remote tools Network Access Protection Wake On LAN Out of band management

Supported Platforms

Admin Console
The Configuration Manager 2007 console is the most

common way that Configuration Manager administrators use Configuration Manager 2007, although some organizations use the Software Development Kit (SDK) to build custom user interfaces and many administrators use scripting to manage repetitive tasks more efficiently. You can run the console from the site server or install additional consoles on your desktop or help desk computers to facilitate management. One console can manage many sites or many consoles can manage a single site.

Collections
Collections represent groups of resources and can

consist not only of computers, but also of Microsoft Windows users and user groups as well as other discovered resources. Collections provide you with the means to organize resources into easily manageable units, enabling you to create an organized structure that logically represents the kinds of tasks that you want to perform. Collection membership can be either direct or query based

Inventory
hardware and software on Configuration Manager

2007 clients Hardware inventory gives you system information (such as available disk space, processor type, and operating system) about each computer. You can configure the information returned in hardware inventory by modifying the SMS_def.mof file. Software inventory agent gives you information such as inventoried file types and versions present on client computers

Queries
The query feature in Configuration Manager 2007 uses

WBEM query language (WQL) to query the site database. Query results are returned in the Configuration Manager 2007 console, where they can be exported using the MMC export list feature. Queries can also be used to create collections of resources that meet the query criteria.

Reporting
Reporting is a supporting feature to many other

Configuration Manager 2007 features. Reports are returned in Web pages in the browser. Programming is not required, but knowledge about creating SQL queries is extremely helpful.

Software distribution
Software distribution allows you to push just about

anything to a client computer. Packages in software distribution can contain source files to deploy software applications and commands called programs that tell the client what executable file to run.

Software updates
The software updates feature provides a set of tools

and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.

Software metering
Software metering enables you to collect and report software program usage data. The data provided by these reports can be used by many groups within the organization such as IT and corporate purchasing.

Software metering in Configuration Manager 2007 supports the following scenarios:

Identify which software applications are being used, and who is using them. Identify the number of concurrent usages of a specified software application. Identify actual software license requirements. Identify redundant software application installations. Identify unused software applications which could be relocated.

Mobile Device management

Mobile devices are supported as Configuration

Manager 2007 clients. Mobile clients can run a subset of Configuration Manager 2007 features such as inventory and software distribution, but cannot be managed by remote control and cannot receive operating system deployments like desktop clients.

Operating system deployment

Operating system deployment enables you to install new operating systems and software onto a computer.
Operating system deployment provides the following solutions for deploying operating system images to computers:

Provide a secure operating system deployment environment. Assist with managing the cost of deploying images by allowing one image to work with different computer hardware configurations. Assist with unifying deployment strategies to help provide a solid deployment foundation for future operating system deployment methods.

Desired configuration management

Desired configuration management enables you to define configuration standards and policies, and audit compliance throughout the enterprise against those defined configurations. This feature is designed to provide data for use by many groups within the organization, including IT and corporate security. Desired configuration management supports the following scenarios: Detect production server configuration drift and confirm provisioned servers meet expected build requirements.
Provide the help desk with probable cause information, reducing the time-toresolve (TTR) of incidents and provide probable cause analysis for problems Report compliance with regulatory policies, and in-house security policies Provide change verification and tracking

Remote tools
Remote tools in Configuration Manager 2007 includes

the remote control feature which allows an operator with sufficient access rights the ability to remotely administer client computers in the Configuration Manager 2007 site hierarchy. You can use remote control to troubleshoot problems on client computers and to provide remote help desk support where access to the user's computer is necessary.

Network Access Protection

Network Access Protection (NAP) is a policy enforcement platform

built into the Windows Vista and Windows Server 2008 operating systems that helps you to better protect network assets by enforcing compliance with system health requirements. You can configure DHCP Enforcement, VPN Enforcement, 802.1X Enforcement, IPSec Enforcement, or all four, depending on your network needs.
Network Access Protection in Configuration Manager 2007 works with
Wake On LAN

Windows Network Policy Server (NPS) on Windows Server 2008, to enforce software update compliance through client remediation.

Wake On LAN
The Wake On LAN feature helps to achieve a higher success rate for scheduled Configuration Manager 2007 activities, reducing associated network traffic during business hours, and helps organizations to conserve power by not requiring computers to be left on for maintenance outside business hours. Wake On LAN in Configuration Manager 2007 supports the following scenarios:
Sending a wake-up transmission prior to the configured deadline for a

software update deployment.

Sending a wake-up transmission prior to the configured schedule of a

mandatory advertisement, which can be for software distribution or a task sequence.

Out of band management

Applies only to Configuration Manager 2007 SP1 The out of band management feature in Configuration Manager 2007 SP1 provides powerful management control for computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) firmware versions 3.2 or later. Out of band management requires a Microsoft public key infrastructure (PKI) and supports the following scenarios: Powering on one or many computers (for example, for maintenance on computers outside business hours).

Powering off one or many computers (for example, the operating system stops responding). Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file. Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server.

Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer).
Booting to a command-based operating system to run commands, repair utilities, or diagnostic applications (for example, upgrading the firmware or running a disk repair utility). Configuring scheduled software update deployments and advertisements to wake up computers prior to running.

Site Operations
Client Deployment Logs
Server Recovery ( Backup / Recovery) Routine Maintenance

Status Message
State Message

Client Deployment Logs

The Configuration Manager 2007 client logs are located in one of the following locations:

On computers that serve as management points, the client logs are located in the SMS_CCM\Logs folder.
On all other computers, the client log files are located in the %Windir%\System32\CCM\Logs folder or the %Windir%\SysWOW64\CCM\Logs.

Log File Name

Description

CAS

Content Access service. Maintains the local package cache.

CcmExec.log

Records activities of the client and the SMS Agent Host service.

CertificateMaintenance.log ClientIDManagerStartup.log ClientLocation.log

Maintains certificates for Active Directory directory service and management points. Creates and maintains the client GUID. Site assignment tasks.

ContentTransferManager.log

Schedules the Background Intelligent Transfer Service (BITS) or the Server Message Block (SMB) to download or to access SMS packages.

DataTransferService.log Execmgr.log FileBITS.log Fsinvprovider.log (renamed to FileSystemFile.log in all SMS 2003 Service Packs)

Records all BITS communication for policy or package access. Records advertisements that run. Records all SMB package access tasks.

Windows Management Instrumentation (WMI) provider for software inventory and file collection.

InventoryAgent.log LocationServices.log Mifprovider.log Mtrmgr.log

Creates discovery data records (DDRs) and hardware and software inventory records. Finds management points and distribution points. The WMI provider for .MIF files. Monitors all software metering processes.

PolicyAgent.log PolicyAgentProvider.log PolicyEvaluator.log

Requests policies by using the Data Transfer service. Records policy changes. Records new policy settings.

RemoteControl.log Scheduler.log

Logs when the remote control component (WUSER32) starts. Records schedule tasks for all client operations.

Smscliui.log

Records usage of the Systems Management tool in Control Panel.

StatusAgent.log

Logs status messages that are created by the client components.

SWMTRReportGen.log

Generates a usage data report that is collected by the metering agent. (This data is logged in Mtrmgr.log.)

Backup and Recovery

The Site Repair Wizard walks you through the necessary steps to

complete the site recovery.

Like any enterprise software, your site should be backed up to provide

recoverability in case of unexpected events. Backing up a Configuration Manager 2007 site involves backing up the database, the file system, and the registry all at the same point in time - backing up just one of these elements is not sufficient to restore a working site. Configuration Manager 2007 uses the Volume Shadow Copy Service (VSS) to take small, frequent snapshots of the necessary components, making it easier to restore a failed site.

Routine Maintenance
Routine monitoring operations for the site consist

primarily of checking status messages, file backlogs, and key log files. Some database tasks are automated and configurable in the Configuration Manager console.

Status Message
Informational and success status messages indicate

that the site is performing as expected. Error and Warning status messages indicate that problems exist. The status messages often contain troubleshooting information like possible causes and solutions

State Message
Which are different than status messages, to track the

current state of some site operations. Unlike status messages, there is no viewer for state messages. All state messages are viewed using reports.

Client Deployment and Discovery Hardware / Software Inventory

Software Metering
Remote tools Software distribution

Patch management
Reporting

Client Deployment
Configuration Manager 2007 provides several options for installing the client software.
Client Computer Installation Method Description Uses the Automatic Update configuration of a client to direct the client computer to a WSUS computer configured as a Configuration Manager 2007 software update point. The client computer installs the Configuration Manager 2007 client software as though it was a software update. Uses an account with administrative rights to access the client computers and install the Configuration Manager 2007 client software. This method requires File and Print sharing and the related ports to be enabled on the client computer. A user with administrative rights can install the client software by running CCMSetup on the client computer. A variety of switches modify the installation options. Uses Group Policy software installation to install CCMSetup.msi. The client software can be added to an image, including images created and deployed with Configuration Manager 2007 operating system deployment. Existing clients can be upgraded or redeployed using Configuration Manager 2007 software distribution.

Software update point installation

Client push installation

Manual client installation Group Policy installation

Imaging

Software Distribution

Discovery Methods
Adding clients and resources to the site

Discovery Methods
Six methods of discovery are available in Configuration Manager 2007:

Network Discovery

Heartbeat Discovery
Active Directory System Group Discovery Active Directory Security Group Discovery Active Directory System Discovery Active Directory User Discovery

Network Discovery
as it's the most generalized form of discovery. It allows

Configuration Manager 2007 to perform a broad search of your network by checking the DHCP leases, looking at routers' Address Resolution Protocol (ARP) caches, or looking for SNMP)-enabled devices in a community. Because of the broad spectrum of resources connected to your network, network discovery is also likely to find resources such as printers that are not capable of becoming Configuration Manager 2007 clients.

Heartbeat Discovery
Configuration Manager 2007 also uses Heartbeat

Discovery, but instead of it being used to create new database records, it is used to keep existing records up to date. Heartbeat Discovery is the only configurable discovery method that is automatically enabled when Configuration Manager 2007 is installed.
Heartbeat Discovery updates existing DDRs rather

than creating new ones. By default, it generates an updated DDR for each client every seven days, although this timing is configurable.

Heartbeat Discovery Process

Heartbeat Discovery runs on installed Configuration

Manager clients according to the schedule you specify. With this method enabled, the Client Component Installation Manager (CCIM) on the client causes the Cliex32.dll to generate a DDR, which is then written to the management point. This file is the same size as a normal DDR (approximately 1 KB per client), and so it will generate approximately the same network traffic.

Active Directory based Discovery

Configuration Manager 2007 can also communicate

with Active Directory to locate resources such as computer accounts, user accounts, system groups, and security groups already existing in your accounts database.

DDR Record

As Configuration Manager 2007 discovers resources, it

creates records in the Configuration Manager database. This record is called a data discovery record (DDR) and the file generated has a .DDR extension.
include data such as the NetBIOS name of a computer,

IP address and IP subnet of a computer or device, operating system, MAC address, and so on. Depending on the discovery method used, resource DDRs are periodically regenerated to keep the discovery data up to date

OS deployment

Desired Configuration Management Network Access Protection General Guidelines

guidelines SCCM Backup and Recovery Questions and Answers

Troubleshooting